W2Kpro trust issues

[Guest]

I am having issues with some workstations.
I try to log into a machine that has been working in the domain for some
time and all of a sudden when logging in we get a domain workstation
error,"The trust relationship between this workstation and the primary domain
failed". There is a KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;162797
pertaining to NT workstaion that says remove from domain and put in a
workgroup, then reboot and add back to the domain. We have been doing this
when ever it pops up but it is happening a fair bit more frequently.
Domain/Machine specs
NT4/Novell5 domain
All machines are Win2kpro sp3
Machines have all be imaged with Ghost8.5
TIA
Wayne

 

[Phillip Windell]

I am having issues with some workstations.
I try to log into a machine that has been working in the domain for some
time and all of a sudden when logging in we get a domain workstation
error,"The trust relationship between this workstation and the primary domain
failed". There is a KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;162797
pertaining to NT workstaion that says remove from domain and put in a
workgroup, then reboot and add back to the domain. We have been doing this
when ever it pops up but it is happening a fair bit more frequently.
Domain/Machine specs
NT4/Novell5 domain
All machines are Win2kpro sp3
Machines have all be imaged with Ghost8.5

AH! Ghost! Did you remember to run GhostWalker to change the SID after you
"imaged" the machine? What you may have is a bunch of machines that have
different names BUT all have the same SID. The domain uses the SID to
identify a machine's membership, not really the Name. So you end up with SID
conflicts.

Remove the machines from the Domain and into a Workgroup (make sure the
account deletes properly in AD on the DC). Boot them with a floppy and run
GhostWalker (ghstwalk.exe) from the floppy and change the machine's SID
(leave the name alone). Boot the machine back up normally, and rejoin it to
the Domain. Life should be much easier now ;-)

 

[Guest]

I am having issues with some workstations.
I try to log into a machine that has been working in the domain for some
time and all of a sudden when logging in we get a domain workstation
error,"The trust relationship between this workstation and the primary domain
failed". There is a KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;162797
pertaining to NT workstaion that says remove from domain and put in a
workgroup, then reboot and add back to the domain. We have been doing this
when ever it pops up but it is happening a fair bit more frequently.
Domain/Machine specs
NT4/Novell5 domain
All machines are Win2kpro sp3
Machines have all be imaged with Ghost8.5

AH! Ghost! Did you remember to run GhostWalker to change the SID after you
"imaged" the machine? What you may have is a bunch of machines that have
different names BUT all have the same SID. The domain uses the SID to
identify a machine's membership, not really the Name. So you end up with SID
conflicts.

Remove the machines from the Domain and into a Workgroup (make sure the
account deletes properly in AD on the DC). Boot them with a floppy and run
GhostWalker (ghstwalk.exe) from the floppy and change the machine's SID
(leave the name alone). Boot the machine back up normally, and rejoin it to
the Domain. Life should be much easier now ;-)

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



Thanks philip

I should say that I only used ghost to actually put the image on the machine
I did use sysprep to ready the machine.
When sysprep shutdown the machine I used ghos t to create the image.
Would this make a difference
Thanks for your help

 

[Phillip Windell]

When sysprep shutdown the machine I used ghos t to create the image.
Would this make a difference

I never use SysPrep so I could be wrong, but I dont' think it makes a
difference, I believe you still end up with the same SID. So I still think
you need to do as I instructed.

 

[Richard G. Harper]

That should have worked - I have several hundred PCs that I've deployed
using SYSPREP and Ghost and have never had a problem. Are your domain
controllers showing any errors, especially in regard to replication? It
sounds like the problem may be on the DC, not on the PC.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[manual updates]

I just ran into this same problem. "The trust relationship between
this workstation and the primary domain failed. Net use responds with
"system error 5". I have a W2K domain with XP client computers.

Each week I restore machines from Ghost images. The images are unique
for each computer. Images were formed AFTER each machine was joined
to the domain. Images have provided valid domain credentials for
several weeks.

NETWORK FILESHARING CREDENTIALS WERE COMPROMISED RECENTLY. The ghost
restore process did not compromise credentials in previous weeks.
Credentials were sufficient on the restored system to use network
filesharing and even remote desktop. THE RECENT CONFLICT prevents
normal communication with the domain controller.

I'm looking at the following updates on the XP clients:

Critical Update for Office XP on Windows XP Service Pack 2 (KB885884)

Cumulative Security Update for Internet Explorer for Windows XP
Service Pack 2 (KB834707)

The connection from client(XP) to domain controller(W2K) for
filesharing is normal but the connection for credentials fail.

I'm also checking updates on the W2K server.

 

[manual updates]

Here's my solution. Take each computer off of the domain and join the
workgroup. Re-join the domain. The workstations will now find their
trust with the domain controller as expected when accessing shared
directories. This doesn't explain why the trust "broke" or if it could
"break" again in the future.

I suspect I'll have to use sysprep everytime I restore a local ghost
image. These images were already "prepped" for each computer. The
SID is unique and plug and play configured the unique hardware. It's
extra work for me to prep images that were already prepped, but if the
trust relationship is broken then my images need a way to talk to the
DC and make it right.